Red Hat Earns NIST Certification for OpenSCAP
March 21, 2017
1.2 which is an open source Security Content Automation Protocol
(SCAP) scanner, has been certified by the National Institute of
Standards and Technology as a U.S. government evaluated
configuration and vulnerability scanner for Red Hat Enterprise
Linux 6 and 7-based systems. This certification shows that
OpenSCAP can analyze and evaluate security automation content
correctly and has the functionality and documentation required
by NIST to run in sensitive, security-conscious environments.
David Egts, chief technologist, Public Sector, with Red Hat
said, “Continuous, repeatable scanning processes are key to
keeping modern, increasingly-complex computing environments more
secure and safe, and open standards help to make these processes
achievable. NIST’s new certification of OpenSCAP on the world’s
leading enterprise Linux platform provides a flexible, powerful
SCAP scanner built on open standards, making it easier for
agencies and other organizations to add verifiable, repeatable
security scanning to their repertoires.”
Alex Johns, security analyst, COACT added, “Red Hat’s OpenSCAP
technology is a proven asset for organizations that must utilize
a validated scanner to meet their security and compliance needs.
OpenSCAP met all of the applicable SCAP 1.2 testing requirements
and correctly implemented the features and functions available
through SCAP for the Red Hat Enterprise Linux 6 32-bit, Red Hat
Enterprise Linux 6 64-bit, and Red Hat Enterprise Linux 7 64-bit
platforms. It was a pleasure working with such a proactive
development team throughout the validation process.”
A synthesis of interoperable specifications based on in-depth
community collaboration, SCAP provides an overarching security
format that security vendors supporting the standard can use.
The standard defines common operations for security scanners,
providing for security content that can be written once and run
on another certified scanner, enabling repeatable security
assessments to be done more quickly and continuously for policy
compliance. Created more than five years ago, OpenSCAP is an
open source, joint initiative between the National Security
Agency, Red Hat, and the broader open source community to
address these standards.
In the U.S., the General Services Administration (GSA) requires
that technologies included in blanket purchase agreements for
vulnerability and configuration management products have formal
NIST SCAP certification (Special Notice QTA0-08-HC-B-003).
Recently, this requirement has been expressed in product
requirements in support of the DHS Continuous Diagnostics and
Mitigation (CDM) program.
With the new NIST certification, Red Hat customers required to
use SCAP for regulatory reasons, or in support of DHS CDM, no
longer need to request waivers or exemptions for their Red Hat
The OpenSCAP certification extends across the Red Hat portfolio
•Red Hat Enterprise Linux: In addition to providing OpenSCAP
as a system administration tool, OpenSCAP has been integrated
directly into the Red Hat Enterprise Linux installer. Systems
can now operate in continuous security compliance from
deployment through end of their lifecycle.
•Red Hat Satellite: A lifecycle management for Red Hat
Enterprise Linux-based hosts,including enterprise configuration
and vulnerability scanning.
•Red Hat CloudForms: Red Hat’s award-winning hybrid cloud
management platform, offering security insight across cloud
•Atomic Scan: Delivered as part of Red Hat Enterprise Linux
Atomic Host, Atomic Scan is the first NIST-certified
configuration and vulnerability scanner for Linux Containers.
Atomic Scan is capable of scanning container registries, even
when containers are offline, using container introspection.
•SCAP Workbench: A graphical utility built for system
administrators and security officers to more easily tailor and
customize SCAP-based security profiles, without requiring
in-depth knowledge of the underlying SCAP standards.
addition to natively providing OpenSCAP tooling in Red Hat
Enterprise Linux and associated system management offerings, Red
Hat provides the underlying development libraries for OpenSCAP.
With these libraries, independent software vendors (ISVs) can
embed NIST-certified configuration and vulnerability scanning
into their applications built for Red Hat Enterprise Linux,
extending these capabilities across bare metal, virtualized, and
Security automation content, consumable by OpenSCAP and other
SCAP-certified tools, is provided through the SCAP Security
Guide package. Security compliance profiles are included in both
Red Hat Enterprise Linux 6 and 7 for standards such as the
Department of Defense Security Technical Implementation Guide (STIG),
PCI compliance, and FBI Criminal Justice Information Systems (CJIS).